OS X Server 10.3 Mail SMTP Authentication

[cshooshan]

We have been struggling with our mail server for awhile. We finally have SpamAssassin working. But there is one thing that we can’t figure out — if our users use an e-mail client from a non-trusted network, the mail server doesn’t seem to check for SMTP authentication (even though all the documents say that it should). I have tried several suggestions from here and the Apple Developer site — all to no avail.

Our username database is LDAP and works fine with Squirrelmail and pop mail.

The problem in a nutshell:

inside to inside: works
inside to outside: works
outside to inside: works
outside to outside: does not work (rejected as relay when it should also check for smtp authentication)

So, I would greatly appreciated any input.

Here is the postfix configuration settings and some SMTP log entries that show the unsuccessful attempts. [Note: the first one "works" because I temporarily added my home IP network to my trusted networks.]

=========================

Operating System: OS X Server 10.3.7
======================================

Postfix mail_version: 2.0.10
==============================

Results from postconf -n:
========================

always_bcc =
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
inet_interfaces = all
luser_relay =
mail_owner = postfix
mailbox_command = /usr/bin/procmail -a "$EXTENSION"
mailbox_transport = procmail
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 10240000
mydestination = $myhostname,localhost.$mydomain,our_real_host.org
mydomain_fallback = localhost
myhostname = mail.our_real_host.org
mynetworks = 127.0.0.1/32,172.16.128.3/32,10.61.0.0/16,69.abc.def.gef/26
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_client_restrictions = reject_rbl_client relays.ordb.org
smtpd_enforce_tls = no
smtpd_pw_server_security_options = cram-md5
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit
smtpd_sasl_auth_enable = yes
smtpd_tls_loglevel = 0
smtpd_use_pw_server = yes
smtpd_use_tls = no
unknown_local_recipient_reject_code = 450

======================================

SMTP log (/var/log/mail.log) entry when IP address is in my_networks:
====================================================================

Feb 9 15:39:48 mail postfix/smtpd[19325]: connect from 66.159.abc.def.adsl.snet.net[66.159.abc.def]
Feb 9 15:39:49 mail postfix/smtpd[19325]: 71B5E1F7AF7: client=66.159.abc.def.adsl.snet.net[66.159.abc.def]

Feb 9 15:39:58 mail postfix/qmgr[17418]: 3D6301F7B18: from=<chasshoo@our_real_host.org>, size=691, nrcpt=1 (queue

active)
Feb 9 15:40:00 mail postfix/smtp[19363]: 3D6301F7B18: to=<[email protected]>,

relay=snetmx3.prodigy.net[204.60.203.71], delay=2, status=sent (250 2.0.0 j19KdwQM008683 Message accepted for

delivery)

SMTP log entry when IP address is not in my_networks and client mail program has SMTP authentication off:
========================================================================================================

Feb 9 15:50:06 mail postfix/smtpd[19795]: 9F92E1F7DA0: reject: RCPT from

66.159.abc.def.adsl.snet.net[66.159.abc.def]: 554 <[email protected]>: Relay access denied;

from=<chasshoo@our_real_host.org> to=<[email protected]> proto=SMTP helo=<cs>

SMTP log entry when IP address is not in my_networks and client mail program has SMTP authentication on (log entry

seems the same):
==================================================================================================================

================

Feb 9 15:53:10 mail postfix/smtpd[19846]: 0D2EF1F7DE9: reject: RCPT from

66.159.abc.def.adsl.snet.net[66.159.abc.def]: 554 <[email protected]>: Relay access denied;

from=<chasshoo@our_real_host.org> to=<[email protected]> proto=SMTP helo=<cs>

=========

Thanks again,
Charlie

[cshooshan]

Dear MacTroll:

This is where I’m a bit confused so I apologize of my response is not what you need:

I have tried modifying the line:
smtpd_pw_server_security_options = cram-md5

by adding, changing order, and including / not including methods:

For example,
smtpd_pw_server_security_options = cram-md5,login,plain

smtpd_pw_server_security_options = plain,login,cram-md5

smtpd_pw_server_security_options = plain

smtpd_pw_server_security_options = login,plain

There was no change.

When I telnet to port 25, all I see is:

220 ******************************
mail from: [email protected]
250 ok
rcpt to: somebody@somewhere_else.com
554 (somebody@somewhere_else.com) Relay access denied

It doesn’t seem to even try authentication.

The OS X Server uses its own LDAP database to authenticate users. This works for pop and squirrelmail just fine.

No users have traditional home directories.

Netinfo appears turned off with respect to an alternative password store.

There is a file /etc/sasldb2.db that I cannot figure out how OS X Server updates. It’s recent (three days old) and doesn’t rebuild when I reboot, or start and stop the mail service either from the terminal or the GUI (of course, if I start and stop from the GUI, I have to copy config files back in since they are otherwise overwritten).

As far as, “Are the users PWS users?” I’m sorry but to be honest, I am not sure if I have really answered that question.

One possibility that I have seen in a few places is to try to update postfix to 2.1 (it’s now Apple’s 2.0.10 version). I am somewhat afraid that I might break something in the process and I am unclear as to how to create and update the authenticated user database so that postfix 2.1 could use it. I really don’t want to do this — there must be a way to get AUTH working in the current config.

Finally, I did compare my “postconf -n” to someone who was kind enough to e-mail me his output on the same server version that works. The only difference was, he had:

smtpd_pw_server_security_options = plain

which I mentioned that I have tried.

Thanks for listening. Any more help would be appreciated,
Charlie

[cshooshan]

Success! All fixed!

Solution first:

Someone (Me! Argggggggh!) left a default setting in the Pix firewall that masquerades as "Mail Guard" — the "bad" command is: fixup protocol smtp 25

so the Pix (Cisco firewall) needed in config:

no fixup protocol smtp 25

(this used to be a problem with Microsoft Exchange but was fixed — I guess for X Serve it’s a problem).

So, even though port 25 was open, with the "fixup" command, the EHLO message wasn’t getting "heard."

Also, I did add back in plain and login so now I have:

smtpd_pw_server_security_options = plain,login,cram-md5

(in main.cf)

===========

QUESTION:

Does the order of options above matter — do some clients choose in that order (like Outlook maybe)?

===========

During my quest, I stumbled upon and enhanced this list that may be of use to someone here:
SMTP Authentication Supported by Mail Client

Apple Mail (OS X 10.1.3) LOGIN, PLAIN
Entourage 9 (Office 2001) LOGIN, PLAIN

Eudora 3.x NONE
Eudora 4.x CRAM-MD5

Netscape 3.x NONE
Netscape 4.0x LOGIN
Netscape 4.5 or above LOGIN, PLAIN

Outlook Express 4.x or above LOGIN

Outlook 97 (Office 97) NONE
Outlook 98 LOGIN, PLAIN
Outlook 2000 (Office 2000) PLAIN, ENCRYPTED
Outlook 2002 (Office XP) PLAIN, ENCRYPTED

Outlook Express 5.0.2 NONE
Outlook Express 5.0.6 LOGIN (Deprecated)

Pegasus LOGIN, CRAM-MD5
(AUTO-SELECTS CRAM-MD5 if available)

Entourage X (10.1.1) CRAM-MD5

Mac OS X Mail (10.2.5) PLAIN (Password), CRAM-MD5
(MD-5 Challenge/Response),
Kerberos v4, GSSAPI (Kerberos v5)

I hope my experience will help someone else who is scratching his or her head with this problem.

Thanks for everything,
Charlie

[Author]

Posts